Black Hat and DEF CON are two of the main safety conferences within the U.S., drawing giant crowds of cyber and AI decision-makers to Las Vegas. Black Hat USA 2024 ran from Aug. 3-8, with a lot of the briefings occurring on Aug. 7 and eight; DEF CON 32 ran from Aug. 8-11. We’re rounding up the enterprise enterprise tech information from Black Hat and DEF CON that’s most related for IT and tech decision-makers.
CrowdStrike given ‘Epic Fail’ award
One of many traditions of DEF CON is the Pwnie Awards, an irreverent night time the place trophies are given out for each extraordinary successes and extraordinary failures. CrowdStrike’s world outage earned them the latter. The Pwnie Awards selected CrowdStrike early, a couple of week after the outage in July, and offered the trophy at DEF CON on Aug. 10. CrowdStrike President Michael Sentonas accepted the trophy in particular person.
Learn how to maintain generative AI accountable
A significant subject of dialog and analysis at Black Hat was maintain generative AI accountable within the case of hallucinations, misinformation, or follow-on results from generated content material.
On the one-day AI Summit (ticketed individually from the remainder of Black Hat), consultants mentioned safe AI fashions and functions for enterprise use, in addition to the usage of AI in cyberattacks.
AI Village at DEF CON tasked a workforce of hackers with exploring detect and report AI flaws. This occasion is notable as a result of each the vulnerabilities and the strategies of reporting these vulnerabilities will likely be below scrutiny. Ideally, the teachings realized at this occasion will assist AI distributors construct frameworks for extra thorough and correct reporting.
DARPA and different authorities organizations had a major presence at DEF CON, as they offered data on securing generative AI. The AI Cyber Problem (AIxCC) Semifinal Competitors examined hackers’ expertise in securing crucial infrastructure in a hypothetical, futuristic metropolis.
Researchers from cloud safety firm Wiz put generative AI infrastructure to the check of their research of AI-as-a-service platforms. The workforce hacked Hugging Face and Replicate, main generative AI internet hosting companies, utilizing “malicious fashions” to maneuver laterally throughout the platform. That gave them a backdoor into non-public AI fashions, at which level they might acquire data on proprietary weights, consumer prompts, and datasets. From there, they might launch provide chain assaults from the AI-as-a-service platform.
Patches and vulnerabilities recognized
Many organizations at Black Hat and DEF CON introduced patches and noteworthy vulnerabilities at their briefings. See the entire checklist of DEF CON audio system for extra.
Sonos audio system might be compromised, permitting attackers to hear in, two researchers from NCC Group revealed on Aug. 8. The exploit is made doable by way of the WPA2 Handshake encryption protocol, which may give an attacker distant entry to the kernel. The researchers demonstrated turning a Sonos machine right into a “wiretap” and jailbreaking a Sonos Period-100 good speaker.
Researchers Dennis Giese and Braelynn, a safety guide at Leviathan Safety Group, detailed their work in discovering bodily and side-channel assaults on Digilock and SAG good lockers. This analysis is a reminder to not reuse secret PINs throughout crucial units like safes and telephones.
Aqua Safety introduced on Aug. 7 that it had pinpointed a vulnerability in six AWS cloud companies that would let attackers execute code remotely or take over accounts. Amazon has since shut that door. The issue was that S3 buckets for these six companies — CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar — had names with related patterns. Due to this, attackers might guess names to plant malicious code in legit S3 buckets.
On Aug. 9, Amazon launched the next unattributed assertion: “AWS is conscious of this analysis. We will verify that we now have fastened this problem, all companies are working as anticipated, and no buyer motion is required.”
Elsewhere at Black Hat, Zenity CTO Michael Bargury demonstrated how attackers can hijack Microsoft Copilot utilizing oblique immediate injection and by poisoning RAG — a preferred technique for enhancing the accuracy of AI fashions.
In his briefing, Bargury highlighted the challenges generative AI presents to safety groups, together with distant code execution and “promptware.” He additionally really helpful strategies for locking down Copilot entry towards malicious actors, together with folks already contained in the goal firm.
The safety world remains to be engaged on standardized safety for AI
Cybersecurity service HackerOne recognized a number of developments within the intersection between generative AI and safety:
- Generative AI helps menace actors assault at higher scales than earlier than.
- Generative AI must be outlined in ways in which enable for higher standardization in safety and governance.
- Open-source fashions are on-trend.
“Step one we have to take is creating and agreeing upon a set of frequent definitions,” Michiel Prins, cofounder of HackerOne, wrote in an e mail to TechRepublic. “We should ask: What’s AI? Is it GenAI or LLMs? What in regards to the ML options which have been round for many years? The area is riddled with unclear definitions, which makes it more and more tough for folks to know one another.”
Enhancing safety intelligence
X-Ops, the safety response workforce of IT-as-a-service supplier Sophos, launched a report on Tuesday about new techniques ransomware attackers use to place stress on their victims. These techniques can embrace:
- Encouraging prospects to open authorized instances towards sufferer organizations.
- Opening authorized instances themselves.
- In search of monetary details about goal corporations, significantly data which may reveal inaccuracies or subterfuge.
- Exposing prison exercise that will happen on firm units.
- Portray the organizations they aim as negligent or morally poor.
Notable product releases
Flashpoint launched new options and capabilities in Flashpoint Ignite and Echosec on Aug. 6. Flashpoint Ignite, the flagship platform, will now embrace investigations administration and intelligence necessities mapping, which match Flashpoint collections with Precedence Intelligence Necessities. Echosec will embrace location safety beginning Aug. 6.
The AI safety firm CalypsoAI boosted its product line with out-of-the-box scanners for particular business-use instances and verticals and real-time menace updates.
Keynotes carry nationwide and company gamers
Keynote audio system for Black Hat 2024 included Cybersecurity and Infrastructure Safety Company Director Jen Easterly, Google Safety Engineering Supervisor Ellen Cram Kowalczyk, and Microsoft Menace Intelligence Technique Director Sherrod DeGrippo.
TechRepublic coated Black Hat and DEF CON remotely.
